From 5896bad9cf0d986dc49fcae078b80da405d14b47 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 14 2008 20:01:48 +0000 Subject: --- diff --git a/modules-mls.conf b/modules-mls.conf index 330c3bc..625aee3 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1074,6 +1074,13 @@ staff = base # user = base +# Layer: services +# Module: prelude +# +# +# +prelude = module + # Layer: users # Module: secadm # diff --git a/policy-20071130.patch b/policy-20071130.patch index 03c2bf1..5ba8e2a 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -8,6 +8,106 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.3.1/ - Label /proc/kallsyms with system_map_t. - 64-bit capabilities from Stephen Smalley. - Labeled networking peer object class updates. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile +--- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 ++++ serefpolicy-3.3.1/Makefile 2008-04-04 12:06:55.000000000 -0400 +@@ -235,7 +235,7 @@ + appdir := $(contextpath) + user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) + user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) +-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) ++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) + net_contexts := $(builddir)net_contexts + + all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +@@ -309,20 +309,22 @@ + + # parse-rolemap modulename,outputfile + define parse-rolemap +- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ +- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 ++ echo "" >> $2 ++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ ++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 + endef + + # perrole-expansion modulename,outputfile + define perrole-expansion +- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 +- $(call parse-rolemap,$1,$2) +- $(verbose) echo "')" >> $2 +- +- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 +- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 +- $(call parse-rolemap-compat,$1,$2) +- $(verbose) echo "')" >> $2 ++ echo "No longer doing perrole-expansion" ++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 ++# $(call parse-rolemap,$1,$2) ++# $(verbose) echo "')" >> $2 ++ ++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 ++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 ++# $(call parse-rolemap-compat,$1,$2) ++# $(verbose) echo "')" >> $2 + endef + + # create-base-per-role-tmpl modulenames,outputfile +@@ -521,6 +523,10 @@ + @mkdir -p $(appdir)/users + $(verbose) $(INSTALL) -m 644 $^ $@ + ++$(appdir)/initrc_context: $(tmpdir)/initrc_context ++ @mkdir -p $(appdir) ++ $(verbose) $(INSTALL) -m 644 $< $@ ++ + $(appdir)/%: $(appconf)/% + @mkdir -p $(appdir) + $(verbose) $(INSTALL) -m 644 $< $@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular +--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 ++++ serefpolicy-3.3.1/Rules.modular 2008-04-04 12:06:56.000000000 -0400 +@@ -73,8 +73,8 @@ + $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te + @echo "Compliling $(NAME) $(@F) module" + @test -d $(tmpdir) || mkdir -p $(tmpdir) +- $(call perrole-expansion,$(basename $(@F)),$@.role) +- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) ++# $(call perrole-expansion,$(basename $(@F)),$@.role) ++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + + $(tmpdir)/%.mod.fc: $(m4support) %.fc +@@ -129,7 +129,7 @@ + @test -d $(tmpdir) || mkdir -p $(tmpdir) + # define all available object classes + $(verbose) $(genperm) $(avs) $(secclass) > $@ +- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) ++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) + $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true + + $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy +@@ -147,7 +147,7 @@ + $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/rolemap.conf: $(rolemap) + $(verbose) echo "" > $@ +- $(call parse-rolemap,base,$@) ++# $(call parse-rolemap,base,$@) + + $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic +--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 ++++ serefpolicy-3.3.1/Rules.monolithic 2008-04-04 12:06:56.000000000 -0400 +@@ -96,7 +96,7 @@ + # + # Load the binary policy + # +-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) ++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) + @echo "Loading $(NAME) $(loadpath)" + $(verbose) $(LOADPOLICY) -q $(loadpath) + @touch $(tmpdir)/load diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context 2008-04-04 12:06:55.000000000 -0400 @@ -691,62 +791,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile ---- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/Makefile 2008-04-04 12:06:55.000000000 -0400 -@@ -235,7 +235,7 @@ - appdir := $(contextpath) - user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) - user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) --appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) - net_contexts := $(builddir)net_contexts - - all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -@@ -309,20 +309,22 @@ - - # parse-rolemap modulename,outputfile - define parse-rolemap -- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 -+ echo "" >> $2 -+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 - endef - - # perrole-expansion modulename,outputfile - define perrole-expansion -- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -- $(call parse-rolemap,$1,$2) -- $(verbose) echo "')" >> $2 -- -- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -- $(call parse-rolemap-compat,$1,$2) -- $(verbose) echo "')" >> $2 -+ echo "No longer doing perrole-expansion" -+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -+# $(call parse-rolemap,$1,$2) -+# $(verbose) echo "')" >> $2 -+ -+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -+# $(call parse-rolemap-compat,$1,$2) -+# $(verbose) echo "')" >> $2 - endef - - # create-base-per-role-tmpl modulenames,outputfile -@@ -521,6 +523,10 @@ - @mkdir -p $(appdir)/users - $(verbose) $(INSTALL) -m 644 $^ $@ - -+$(appdir)/initrc_context: $(tmpdir)/initrc_context -+ @mkdir -p $(appdir) -+ $(verbose) $(INSTALL) -m 644 $< $@ -+ - $(appdir)/%: $(appconf)/% - @mkdir -p $(appdir) - $(verbose) $(INSTALL) -m 644 $< $@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500 +++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-04-04 12:06:55.000000000 -0400 @@ -2522,109 +2566,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-04 12:06:55.000000000 -0400 -@@ -55,7 +55,7 @@ - # - - # Use capabilities. -- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; -+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; -@@ -68,33 +68,35 @@ - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; -- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; -+ allow $1_sudo_t self:key manage_key_perms; -+ allow $1_sudo_t $1_t:key search; - - # Enter this derived domain from the user domain - domtrans_pattern($2, sudo_exec_t, $1_sudo_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t,$2) -+ corecmd_bin_domtrans($1_sudo_t,$2) - allow $2 $1_sudo_t:fd use; - allow $2 $1_sudo_t:fifo_file rw_file_perms; - allow $2 $1_sudo_t:process sigchld; - - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) -- kernel_search_key($1_sudo_t) -+ kernel_link_key($1_sudo_t) - - dev_read_urand($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - -- auth_domtrans_chk_passwd($1_sudo_t) -+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) - auth_use_nsswitch($1_sudo_t) - - corecmd_read_bin_symlinks($1_sudo_t) -- corecmd_getattr_all_executables($1_sudo_t) -+ corecmd_exec_all_executables($1_sudo_t) - - domain_use_interactive_fds($1_sudo_t) - domain_sigchld_interactive_fds($1_sudo_t) -@@ -106,32 +108,42 @@ - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) -+ files_list_tmp($1_sudo_t) - - init_rw_utmp($1_sudo_t) - - libs_use_ld_so($1_sudo_t) - libs_use_shared_libs($1_sudo_t) - -+ logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - - miscfiles_read_localization($1_sudo_t) - -+ mta_per_role_template($1, $1_sudo_t, $3) -+ - userdom_manage_user_home_content_files($1,$1_sudo_t) - userdom_manage_user_home_content_symlinks($1,$1_sudo_t) - userdom_manage_user_tmp_files($1,$1_sudo_t) - userdom_manage_user_tmp_symlinks($1,$1_sudo_t) -+ userdom_exec_user_home_content_files($1,$1_sudo_t) - userdom_use_user_terminals($1,$1_sudo_t) - userdom_use_unpriv_users_fds($1_sudo_t) - # for some PAM modules and for cwd -+ userdom_search_sysadm_home_content_dirs($1_sudo_t) - userdom_dontaudit_search_all_users_home_content($1_sudo_t) - -- ifdef(`TODO',` -- # for when the network connection is killed -- dontaudit unpriv_userdomain $1_sudo_t:process signal; -- -- ifdef(`mta.te', ` -- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) -- ') -+ domain_role_change_exemption($1_sudo_t) -+ userdom_spec_domtrans_all_users($1_sudo_t) - -- ') dnl end TODO -+ selinux_validate_context($1_sudo_t) -+ selinux_compute_relabel_context($1_sudo_t) -+ selinux_getattr_fs($1_sudo_t) -+ seutil_read_config($1_sudo_t) -+ seutil_search_default_contexts($1_sudo_t) -+ -+ term_use_all_user_ttys($1_sudo_t) -+ term_use_all_user_ptys($1_sudo_t) -+ term_relabel_all_user_ttys($1_sudo_t) -+ term_relabel_all_user_ptys($1_sudo_t) - ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-04-04 12:06:55.000000000 -0400 @@ -2755,6 +2696,109 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ') ####################################### +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if +--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-04 12:06:55.000000000 -0400 +@@ -55,7 +55,7 @@ + # + + # Use capabilities. +- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; ++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; + allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_sudo_t self:process { setexec setrlimit }; + allow $1_sudo_t self:fd use; +@@ -68,33 +68,35 @@ + allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; + allow $1_sudo_t self:unix_dgram_socket sendto; + allow $1_sudo_t self:unix_stream_socket connectto; +- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; ++ allow $1_sudo_t self:key manage_key_perms; ++ allow $1_sudo_t $1_t:key search; + + # Enter this derived domain from the user domain + domtrans_pattern($2, sudo_exec_t, $1_sudo_t) + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t,$2) ++ corecmd_bin_domtrans($1_sudo_t,$2) + allow $2 $1_sudo_t:fd use; + allow $2 $1_sudo_t:fifo_file rw_file_perms; + allow $2 $1_sudo_t:process sigchld; + + kernel_read_kernel_sysctls($1_sudo_t) + kernel_read_system_state($1_sudo_t) +- kernel_search_key($1_sudo_t) ++ kernel_link_key($1_sudo_t) + + dev_read_urand($1_sudo_t) + + fs_search_auto_mountpoints($1_sudo_t) + fs_getattr_xattr_fs($1_sudo_t) + +- auth_domtrans_chk_passwd($1_sudo_t) ++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) + # sudo stores a token in the pam_pid directory + auth_manage_pam_pid($1_sudo_t) + auth_use_nsswitch($1_sudo_t) + + corecmd_read_bin_symlinks($1_sudo_t) +- corecmd_getattr_all_executables($1_sudo_t) ++ corecmd_exec_all_executables($1_sudo_t) + + domain_use_interactive_fds($1_sudo_t) + domain_sigchld_interactive_fds($1_sudo_t) +@@ -106,32 +108,42 @@ + files_getattr_usr_files($1_sudo_t) + # for some PAM modules and for cwd + files_dontaudit_search_home($1_sudo_t) ++ files_list_tmp($1_sudo_t) + + init_rw_utmp($1_sudo_t) + + libs_use_ld_so($1_sudo_t) + libs_use_shared_libs($1_sudo_t) + ++ logging_send_audit_msgs($1_sudo_t) + logging_send_syslog_msg($1_sudo_t) + + miscfiles_read_localization($1_sudo_t) + ++ mta_per_role_template($1, $1_sudo_t, $3) ++ + userdom_manage_user_home_content_files($1,$1_sudo_t) + userdom_manage_user_home_content_symlinks($1,$1_sudo_t) + userdom_manage_user_tmp_files($1,$1_sudo_t) + userdom_manage_user_tmp_symlinks($1,$1_sudo_t) ++ userdom_exec_user_home_content_files($1,$1_sudo_t) + userdom_use_user_terminals($1,$1_sudo_t) + userdom_use_unpriv_users_fds($1_sudo_t) + # for some PAM modules and for cwd ++ userdom_search_sysadm_home_content_dirs($1_sudo_t) + userdom_dontaudit_search_all_users_home_content($1_sudo_t) + +- ifdef(`TODO',` +- # for when the network connection is killed +- dontaudit unpriv_userdomain $1_sudo_t:process signal; +- +- ifdef(`mta.te', ` +- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) +- ') ++ domain_role_change_exemption($1_sudo_t) ++ userdom_spec_domtrans_all_users($1_sudo_t) + +- ') dnl end TODO ++ selinux_validate_context($1_sudo_t) ++ selinux_compute_relabel_context($1_sudo_t) ++ selinux_getattr_fs($1_sudo_t) ++ seutil_read_config($1_sudo_t) ++ seutil_search_default_contexts($1_sudo_t) ++ ++ term_use_all_user_ttys($1_sudo_t) ++ term_use_all_user_ptys($1_sudo_t) ++ term_relabel_all_user_ttys($1_sudo_t) ++ term_relabel_all_user_ptys($1_sudo_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-06 07:10:39.000000000 -0400 @@ -4576,7 +4620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-04-14 14:18:09.000000000 -0400 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -5091,7 +5135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.3.1/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/mplayer.if 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/mplayer.if 2008-04-14 14:24:43.000000000 -0400 @@ -35,6 +35,7 @@ template(`mplayer_per_role_template',` gen_require(` @@ -5178,7 +5222,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. ') domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t) -@@ -503,8 +506,8 @@ +@@ -478,6 +481,25 @@ + + ######################################## + ## ++## Execute mplayer in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`mplayer_exec',` ++ gen_require(` ++ type mplayer_exec_t; ++ ') ++ ++ can_exec($1, mplayer_exec_t) ++') ++ ++######################################## ++## + ## Read mplayer per user homedir + ## + ## +@@ -503,8 +525,8 @@ # template(`mplayer_read_user_home_files',` gen_require(` @@ -5572,8 +5642,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-10 08:50:50.000000000 -0400 -@@ -0,0 +1,189 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-14 14:25:20.000000000 -0400 +@@ -0,0 +1,198 @@ + +policy_module(nsplugin,1.0.0) + @@ -5708,6 +5778,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + +optional_policy(` ++ mplayer_exec(nsplugin_t) ++') ++ ++optional_policy(` + unconfined_execmem_signull(nsplugin_t) + unconfined_delete_tmpfs_files(nsplugin_t) +') @@ -5759,10 +5833,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +miscfiles_read_localization(nsplugin_config_t) +miscfiles_read_fonts(nsplugin_config_t) ++miscfiles_read_home_fonts(nsplugin_config_t) + +userdom_search_all_users_home_content(nsplugin_config_t) + +nsplugin_domtrans(nsplugin_config_t) ++ ++optional_policy(` ++ mozilla_read_user_home_files(user, nsplugin_config_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.3.1/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/apps/openoffice.fc 2008-04-04 12:06:55.000000000 -0400 @@ -6586,7 +6665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-04-07 14:56:13.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-04-14 15:22:27.000000000 -0400 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -6668,7 +6747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -213,9 +219,10 @@ +@@ -213,9 +219,11 @@ /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6677,10 +6756,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco -/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/vmware-tools/sbin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +291,10 @@ +@@ -284,3 +292,10 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -8309,7 +8389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.3.1/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2008-02-18 14:30:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/amavis.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/amavis.te 2008-04-14 14:08:03.000000000 -0400 @@ -38,6 +38,9 @@ type amavis_spool_t; files_type(amavis_spool_t) @@ -8322,7 +8402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav # amavis local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-04-14 16:01:13.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -8345,7 +8425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -48,9 +48,11 @@ +@@ -48,11 +48,14 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -8356,8 +8436,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) ++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -66,10 +68,21 @@ + /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +@@ -66,10 +69,21 @@ /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -10429,18 +10512,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.3.1/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2007-09-17 15:56:47.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/bitlbee.te 2008-04-04 12:06:55.000000000 -0400 -@@ -17,6 +17,9 @@ ++++ serefpolicy-3.3.1/policy/modules/services/bitlbee.te 2008-04-14 14:08:49.000000000 -0400 +@@ -17,6 +17,12 @@ type bitlbee_var_t; files_type(bitlbee_var_t) ++type bitlbee_tmp_t; ++files_tmp_file(bitlbee_tmp_t) ++ +type bitlbee_script_exec_t; +init_script_type(bitlbee_script_exec_t) + ######################################## # # Local policy -@@ -54,6 +57,12 @@ +@@ -26,9 +32,15 @@ + allow bitlbee_t self:udp_socket create_socket_perms; + allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; + allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; ++allow bitlbee_t self:fifo_file rw_fifo_file_perms; ++allow bitlbee_t self:process signal; + + bitlbee_read_config(bitlbee_t) + ++# tmp files ++manage_files_pattern(bitlbee_t,bitlbee_tmp_t,bitlbee_tmp_t) ++files_tmp_filetrans(bitlbee_t,bitlbee_tmp_t,file) ++ + # user account information is read and edited at runtime; give the usual + # r/w access to bitlbee_var_t + manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) +@@ -54,6 +66,12 @@ corenet_tcp_connect_msnp_port(bitlbee_t) corenet_tcp_sendrecv_msnp_port(bitlbee_t) @@ -10453,7 +10555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl files_read_etc_files(bitlbee_t) files_search_pids(bitlbee_t) # grant read-only access to the user help files -@@ -62,6 +71,8 @@ +@@ -62,6 +80,8 @@ libs_legacy_use_shared_libs(bitlbee_t) libs_use_ld_so(bitlbee_t) @@ -12923,7 +13025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-14 15:20:57.000000000 -0400 @@ -9,6 +9,7 @@ # # Delcarations @@ -13001,7 +13103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus libs_use_ld_so(system_dbusd_t) libs_use_shared_libs(system_dbusd_t) -@@ -121,9 +139,28 @@ +@@ -121,9 +139,32 @@ ') optional_policy(` @@ -13028,6 +13130,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + ') + unconfined_domain(unconfined_dbusd_t) + allow dbusd_unconfined domain:dbus send_msg; ++ ++ optional_policy(` ++ xserver_xdm_rw_shm(unconfined_dbusd_t) ++ ') +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if @@ -14960,7 +15066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-04-11 15:08:40.000000000 -0400 @@ -8,6 +8,7 @@ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) @@ -14969,13 +15075,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) -@@ -16,10 +17,12 @@ +@@ -16,10 +17,13 @@ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) /var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0) +/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) +/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) ++/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0) @@ -15032,7 +15139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-04-14 09:25:23.000000000 -0400 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -15043,6 +15150,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local policy +@@ -57,7 +60,7 @@ + # execute openvt which needs setuid + allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; + dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; +-allow hald_t self:process signal_perms; ++allow hald_t self:process { getattr signal_perms }; + allow hald_t self:fifo_file rw_fifo_file_perms; + allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow hald_t self:unix_dgram_socket create_socket_perms; @@ -70,7 +73,7 @@ manage_files_pattern(hald_t,hald_cache_t,hald_cache_t) @@ -18643,6 +18759,185 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te +--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-14 14:30:28.000000000 -0400 +@@ -6,6 +6,14 @@ + # Declarations + # + ++## ++##

++## Allow postfix_local domain full write access to mail_spool directories ++## ++##

++## ++gen_tunable(allow_postfix_local_write_mail_spool,false) ++ + attribute postfix_user_domains; + # domains that transition to the + # postfix user domains +@@ -27,6 +35,10 @@ + postfix_server_domain_template(local) + mta_mailserver_delivery(postfix_local_t) + ++tunable_policy(`allow_postfix_local_write_mail_spool', ` ++ mta_rw_spool(postfix_local_t) ++') ++ + type postfix_local_tmp_t; + files_tmp_file(postfix_local_tmp_t) + +@@ -34,6 +46,7 @@ + type postfix_map_t; + type postfix_map_exec_t; + application_domain(postfix_map_t,postfix_map_exec_t) ++role system_r types postfix_map_t; + + type postfix_map_tmp_t; + files_tmp_file(postfix_map_tmp_t) +@@ -99,6 +112,7 @@ + allow postfix_master_t self:fifo_file rw_fifo_file_perms; + allow postfix_master_t self:tcp_socket create_stream_socket_perms; + allow postfix_master_t self:udp_socket create_socket_perms; ++allow postfix_master_t self:process setrlimit; + + allow postfix_master_t postfix_etc_t:file rw_file_perms; + +@@ -174,6 +188,7 @@ + + mta_rw_aliases(postfix_master_t) + mta_read_sendmail_bin(postfix_master_t) ++mta_getattr_spool(postfix_master_t) + + optional_policy(` + cyrus_stream_connect(postfix_master_t) +@@ -248,6 +263,10 @@ + + corecmd_exec_bin(postfix_cleanup_t) + ++optional_policy(` ++ mailman_read_data_files(postfix_cleanup_t) ++') ++ + ######################################## + # + # Postfix local local policy +@@ -273,18 +292,25 @@ + + files_read_etc_files(postfix_local_t) + ++logging_dontaudit_search_logs(postfix_local_t) ++ + mta_read_aliases(postfix_local_t) + mta_delete_spool(postfix_local_t) + # For reading spamassasin + mta_read_config(postfix_local_t) + ++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) ++ + optional_policy(` + clamav_search_lib(postfix_local_t) ++ clamav_exec_clamscan(postfix_local_t) + ') + + optional_policy(` + # for postalias + mailman_manage_data_files(postfix_local_t) ++ mailman_append_log(postfix_local_t) ++ mailman_read_log(postfix_local_t) + ') + + optional_policy(` +@@ -295,8 +321,7 @@ + # + # Postfix map local policy + # +- +-allow postfix_map_t self:capability setgid; ++allow postfix_map_t self:capability { dac_override setgid setuid }; + allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; + allow postfix_map_t self:unix_dgram_socket create_socket_perms; + allow postfix_map_t self:tcp_socket create_stream_socket_perms; +@@ -346,8 +371,6 @@ + + miscfiles_read_localization(postfix_map_t) + +-seutil_read_config(postfix_map_t) +- + tunable_policy(`read_default_t',` + files_list_default(postfix_map_t) + files_read_default_files(postfix_map_t) +@@ -360,6 +383,11 @@ + locallogin_dontaudit_use_fds(postfix_map_t) + ') + ++optional_policy(` ++# for postalias ++ mailman_manage_data_files(postfix_map_t) ++') ++ + ######################################## + # + # Postfix pickup local policy +@@ -384,6 +412,7 @@ + # + + allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; ++allow postfix_pipe_t self:process setrlimit; + + write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) + +@@ -391,6 +420,12 @@ + + rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) + ++domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) ++ ++optional_policy(` ++ dovecot_domtrans_deliver(postfix_pipe_t) ++') ++ + optional_policy(` + procmail_domtrans(postfix_pipe_t) + ') +@@ -400,6 +435,10 @@ + ') + + optional_policy(` ++ mta_manage_spool(postfix_pipe_t) ++') ++ ++optional_policy(` + uucp_domtrans_uux(postfix_pipe_t) + ') + +@@ -532,9 +571,6 @@ + # connect to master process + stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) + +-# Connect to policy server +-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) +- + # for prng_exch + allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; + allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; +@@ -557,6 +593,10 @@ + sasl_connect(postfix_smtpd_t) + ') + ++optional_policy(` ++ dovecot_auth_stream_connect(postfix_smtpd_t) ++') ++ + ######################################## + # + # Postfix virtual local policy +@@ -584,3 +624,4 @@ + # For reading spamassasin + mta_read_config(postfix_virtual_t) + mta_manage_spool(postfix_virtual_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc --- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-04-04 12:06:55.000000000 -0400 @@ -18737,185 +19032,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Local Policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-09 08:18:34.000000000 -0400 -@@ -6,6 +6,14 @@ - # Declarations - # - -+## -+##

-+## Allow postfix_local domain full write access to mail_spool directories -+## -+##

-+## -+gen_tunable(allow_postfix_local_write_mail_spool,false) -+ - attribute postfix_user_domains; - # domains that transition to the - # postfix user domains -@@ -27,6 +35,10 @@ - postfix_server_domain_template(local) - mta_mailserver_delivery(postfix_local_t) - -+tunable_policy(`allow_postfix_local_write_mail_spool', ` -+ mta_rw_spool(postfix_local_t) -+') -+ - type postfix_local_tmp_t; - files_tmp_file(postfix_local_tmp_t) - -@@ -34,6 +46,7 @@ - type postfix_map_t; - type postfix_map_exec_t; - application_domain(postfix_map_t,postfix_map_exec_t) -+role system_r types postfix_map_t; - - type postfix_map_tmp_t; - files_tmp_file(postfix_map_tmp_t) -@@ -99,6 +112,7 @@ - allow postfix_master_t self:fifo_file rw_fifo_file_perms; - allow postfix_master_t self:tcp_socket create_stream_socket_perms; - allow postfix_master_t self:udp_socket create_socket_perms; -+allow postfix_master_t self:process setrlimit; - - allow postfix_master_t postfix_etc_t:file rw_file_perms; - -@@ -174,6 +188,7 @@ - - mta_rw_aliases(postfix_master_t) - mta_read_sendmail_bin(postfix_master_t) -+mta_getattr_spool(postfix_master_t) - - optional_policy(` - cyrus_stream_connect(postfix_master_t) -@@ -248,6 +263,10 @@ - - corecmd_exec_bin(postfix_cleanup_t) - -+optional_policy(` -+ mailman_read_data_files(postfix_cleanup_t) -+') -+ - ######################################## - # - # Postfix local local policy -@@ -273,18 +292,25 @@ - - files_read_etc_files(postfix_local_t) - -+logging_dontaudit_search_logs(postfix_local_t) -+ - mta_read_aliases(postfix_local_t) - mta_delete_spool(postfix_local_t) - # For reading spamassasin - mta_read_config(postfix_local_t) - -+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) -+ - optional_policy(` - clamav_search_lib(postfix_local_t) -+ clamav_exec_clamscan(postfix_local_t) - ') - - optional_policy(` - # for postalias - mailman_manage_data_files(postfix_local_t) -+ mailman_append_log(postfix_local_t) -+ mailman_read_log(postfix_local_t) - ') - - optional_policy(` -@@ -295,8 +321,7 @@ - # - # Postfix map local policy - # -- --allow postfix_map_t self:capability setgid; -+allow postfix_map_t self:capability { dac_override setgid setuid }; - allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; - allow postfix_map_t self:unix_dgram_socket create_socket_perms; - allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -346,8 +371,6 @@ - - miscfiles_read_localization(postfix_map_t) - --seutil_read_config(postfix_map_t) -- - tunable_policy(`read_default_t',` - files_list_default(postfix_map_t) - files_read_default_files(postfix_map_t) -@@ -360,6 +383,11 @@ - locallogin_dontaudit_use_fds(postfix_map_t) - ') - -+optional_policy(` -+# for postalias -+ mailman_manage_data_files(postfix_map_t) -+') -+ - ######################################## - # - # Postfix pickup local policy -@@ -384,6 +412,7 @@ - # - - allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; -+allow postfix_pipe_t self:process setrlimit; - - write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) - -@@ -391,6 +420,12 @@ - - rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) - -+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) -+ -+optional_policy(` -+ dovecot_domtrans_deliver(postfix_pipe_t) -+') -+ - optional_policy(` - procmail_domtrans(postfix_pipe_t) - ') -@@ -400,6 +435,10 @@ - ') - - optional_policy(` -+ mta_manage_spool(postfix_pipe_t) -+') -+ -+optional_policy(` - uucp_domtrans_uux(postfix_pipe_t) - ') - -@@ -532,9 +571,6 @@ - # connect to master process - stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) - --# Connect to policy server --corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) -- - # for prng_exch - allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; - allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; -@@ -557,6 +593,10 @@ - sasl_connect(postfix_smtpd_t) - ') - -+optional_policy(` -+ dovecot_auth_stream_connect(postfix_smtpd_t) -+') -+ - ######################################## - # - # Postfix virtual local policy -@@ -584,3 +624,4 @@ - # For reading spamassasin - mta_read_config(postfix_virtual_t) - mta_manage_spool(postfix_virtual_t) -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-04 12:06:55.000000000 -0400 @@ -19035,9 +19151,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.3.1/policy/modules/services/postgrey.if --- nsaserefpolicy/policy/modules/services/postgrey.if 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postgrey.if 2008-04-04 12:06:55.000000000 -0400 -@@ -19,3 +19,74 @@ ++++ serefpolicy-3.3.1/policy/modules/services/postgrey.if 2008-04-14 10:40:45.000000000 -0400 +@@ -12,10 +12,82 @@ + # + interface(`postgrey_stream_connect',` + gen_require(` +- type postgrey_var_run_t, postgrey_t; ++ type postgrey_var_run_t, postgrey_t, postgrey_spool_t; + ') + + allow $1 postgrey_t:unix_stream_socket connectto; allow $1 postgrey_var_run_t:sock_file write; ++ allow $1 postgrey_spool_t:sock_file write; files_search_pids($1) ') + @@ -19113,8 +19238,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.3.1/policy/modules/services/postgrey.te --- nsaserefpolicy/policy/modules/services/postgrey.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postgrey.te 2008-04-04 12:06:55.000000000 -0400 -@@ -13,26 +13,37 @@ ++++ serefpolicy-3.3.1/policy/modules/services/postgrey.te 2008-04-14 10:40:21.000000000 -0400 +@@ -13,26 +13,38 @@ type postgrey_etc_t; files_config_file(postgrey_etc_t) @@ -19149,11 +19274,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +manage_dirs_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) +manage_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) +manage_fifo_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) ++manage_sock_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) + manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t) files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file) -@@ -85,6 +96,11 @@ +@@ -85,6 +97,11 @@ ') optional_policy(` @@ -20512,123 +20638,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc ---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-04 12:06:56.000000000 -0400 -@@ -5,3 +5,5 @@ - /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) - /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) - /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) -+ -+/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if ---- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-04 12:06:56.000000000 -0400 -@@ -95,3 +95,70 @@ - manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_search_var_lib($1) - ') -+ -+######################################## -+## -+## Execute rpcbind server in the rpcbind domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`rpcbind_script_domtrans',` -+ gen_require(` -+ type rpcbind_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,rpcbind_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an rpcbind environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the rpcbind domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`rpcbind_admin',` -+ gen_require(` -+ type rpcbind_t; -+ type rpcbind_script_exec_t; -+ type rpcbind_var_lib_t; -+ type rpcbind_var_run_t; -+ ') -+ -+ allow $1 rpcbind_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, rpcbind_t, rpcbind_t) -+ -+ # Allow rpcbind_t to restart the apache service -+ rpcbind_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 rpcbind_script_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_var_lib($1) -+ manage_all_pattern($1,rpcbind_var_lib_t) -+ -+ files_list_pids($1) -+ manage_all_pattern($1,rpcbind_var_run_t) -+') -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-04 12:06:56.000000000 -0400 -@@ -16,16 +16,21 @@ - type rpcbind_var_lib_t; - files_type(rpcbind_var_lib_t) - -+type rpcbind_script_exec_t; -+init_script_type(rpcbind_script_exec_t) -+ - ######################################## - # - # rpcbind local policy - # - --allow rpcbind_t self:capability setuid; -+allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; - allow rpcbind_t self:fifo_file rw_file_perms; - allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; - allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; - allow rpcbind_t self:udp_socket create_socket_perms; -+# BROKEN ... -+dontaudit rpcbind_t self:udp_socket listen; - allow rpcbind_t self:tcp_socket create_stream_socket_perms; - - manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) -@@ -37,6 +42,7 @@ - manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) - -+kernel_read_system_state(rpcbind_t) - kernel_read_network_state(rpcbind_t) - - corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2008-04-04 12:06:56.000000000 -0400 @@ -20672,7 +20681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-07 22:12:28.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-14 10:54:17.000000000 -0400 @@ -60,10 +60,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -20746,7 +20755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. files_read_usr_symlinks(gssd_t) +auth_use_nsswitch(gssd_t) -+auth_rw_cache(gssd_t) ++auth_manage_cache(gssd_t) + miscfiles_read_certs(gssd_t) @@ -20756,6 +20765,123 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc +--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-04 12:06:56.000000000 -0400 +@@ -5,3 +5,5 @@ + /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) + /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) + /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) ++ ++/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if +--- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-04 12:06:56.000000000 -0400 +@@ -95,3 +95,70 @@ + manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_search_var_lib($1) + ') ++ ++######################################## ++## ++## Execute rpcbind server in the rpcbind domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`rpcbind_script_domtrans',` ++ gen_require(` ++ type rpcbind_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,rpcbind_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rpcbind environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the rpcbind domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`rpcbind_admin',` ++ gen_require(` ++ type rpcbind_t; ++ type rpcbind_script_exec_t; ++ type rpcbind_var_lib_t; ++ type rpcbind_var_run_t; ++ ') ++ ++ allow $1 rpcbind_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, rpcbind_t, rpcbind_t) ++ ++ # Allow rpcbind_t to restart the apache service ++ rpcbind_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rpcbind_script_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_var_lib($1) ++ manage_all_pattern($1,rpcbind_var_lib_t) ++ ++ files_list_pids($1) ++ manage_all_pattern($1,rpcbind_var_run_t) ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-04 12:06:56.000000000 -0400 +@@ -16,16 +16,21 @@ + type rpcbind_var_lib_t; + files_type(rpcbind_var_lib_t) + ++type rpcbind_script_exec_t; ++init_script_type(rpcbind_script_exec_t) ++ + ######################################## + # + # rpcbind local policy + # + +-allow rpcbind_t self:capability setuid; ++allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; + allow rpcbind_t self:fifo_file rw_file_perms; + allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; + allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; + allow rpcbind_t self:udp_socket create_socket_perms; ++# BROKEN ... ++dontaudit rpcbind_t self:udp_socket listen; + allow rpcbind_t self:tcp_socket create_stream_socket_perms; + + manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) +@@ -37,6 +42,7 @@ + manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) + ++kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + + corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rshd.te 2008-04-04 12:06:56.000000000 -0400 @@ -22346,8 +22472,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.3.1/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-04-04 12:06:56.000000000 -0400 -@@ -18,6 +18,9 @@ ++++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-04-14 15:00:01.000000000 -0400 +@@ -18,12 +18,16 @@ type snmpd_var_lib_t; files_type(snmpd_var_lib_t) @@ -22357,7 +22483,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ######################################## # # Local policy -@@ -45,6 +48,7 @@ + # + allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; ++allow snmpd_t self:process getsched; + allow snmpd_t self:fifo_file rw_fifo_file_perms; + allow snmpd_t self:unix_dgram_socket create_socket_perms; + allow snmpd_t self:unix_stream_socket create_stream_socket_perms; +@@ -45,6 +49,7 @@ kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) @@ -22365,7 +22498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp kernel_read_net_sysctls(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_system_state(snmpd_t) -@@ -81,8 +85,7 @@ +@@ -81,8 +86,7 @@ files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) @@ -23680,7 +23813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.3.1/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-02-06 10:33:21.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/ssh.if 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/ssh.if 2008-04-14 12:04:54.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -23851,7 +23984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.3.1/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/ssh.te 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/ssh.te 2008-04-14 12:35:04.000000000 -0400 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -23861,12 +23994,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # ssh client executable. type ssh_exec_t; -@@ -57,6 +57,12 @@ +@@ -57,6 +57,13 @@ init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) ') +type user_ssh_home_t; +userdom_user_home_content(user,user_ssh_home_t) ++typealias user_ssh_home_t alias user_home_ssh_t; + +type user_ssh_tmp_t; +files_tmp_file(user_ssh_tmp_t) @@ -23874,7 +24008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ################################# # # sshd local policy -@@ -80,6 +86,11 @@ +@@ -80,6 +87,11 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -23886,7 +24020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -101,6 +112,10 @@ +@@ -101,6 +113,10 @@ ') optional_policy(` @@ -23897,7 +24031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -119,7 +134,11 @@ +@@ -119,7 +135,11 @@ ') optional_policy(` @@ -25692,7 +25826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-07 22:44:31.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-14 14:45:06.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -25765,7 +25899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type iceauth_exec_t; -application_executable_file(iceauth_exec_t) +application_domain(iceauth_t,iceauth_exec_t) -+ + +type input_xevent_t, xevent_type; +type manage_xevent_t, xevent_type; +type output_xext_t, xextension_type; @@ -25781,7 +25915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +type x_rootcolormap_t; +type x_rootscreen_t; +type x_rootwindow_t; - ++ +type xauth_t; type xauth_exec_t; -application_executable_file(xauth_exec_t) @@ -25883,7 +26017,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) - files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) +-files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) ++files_var_lib_filetrans(xdm_t,xdm_var_lib_t,{ file dir }) +# Read machine-id +files_read_var_lib_files(xdm_t) @@ -26112,7 +26247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +577,17 @@ +@@ -404,9 +577,18 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -26122,6 +26257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +getty_use_fds(xdm_xserver_t) +locallogin_use_fds(xdm_xserver_t) ++userdom_dontaudit_write_user_home_content_files(user, xdm_xserver_t) + +optional_policy(` + userhelper_search_config(xdm_xserver_t) @@ -26130,7 +26266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +601,22 @@ +@@ -420,6 +602,22 @@ ') optional_policy(` @@ -26153,7 +26289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +626,139 @@ +@@ -429,47 +627,138 @@ ') optional_policy(` @@ -26177,11 +26313,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # xserver signals unconfined user on startx + unconfined_signal(xdm_xserver_t) + unconfined_getpgid(xdm_xserver_t) ++ unconfined_domain(xdm_xserver_t) +') + + +tunable_policy(`allow_xserver_execmem', ` + allow xdm_xserver_t self:process { execheap execmem execstack }; ++') ++ ++ifndef(`distro_redhat',` ++ allow xdm_xserver_t self:process { execheap execmem }; ') -ifdef(`TODO',` @@ -26205,20 +26346,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -+ifndef(`distro_redhat',` ++ifdef(`distro_rhel4',` + allow xdm_xserver_t self:process { execheap execmem }; ') -+ifdef(`distro_rhel4',` -+ allow xdm_xserver_t self:process { execheap execmem }; -+') -+ +############################## # -# Wants to delete .xsession-errors file +# xauth_t Local policy - # --allow xdm_t user_home_type:file unlink; ++# +domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t) + +userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file) @@ -26266,7 +26402,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +############################## +# +# iceauth_t Local policy -+# + # +-allow xdm_t user_home_type:file unlink; + +allow iceauth_t user_iceauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file) @@ -26325,8 +26462,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`allow_read_x_device',` + allow xserver_unconfined_type { x_domain x_server_domain self }:x_device read; +') -+ -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.3.1/policy/modules/services/zabbix.fc --- nsaserefpolicy/policy/modules/services/zabbix.fc 2007-04-11 15:52:54.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/zabbix.fc 2008-04-04 12:06:56.000000000 -0400 @@ -26549,7 +26684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-07 22:13:19.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-14 10:53:59.000000000 -0400 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` @@ -26703,7 +26838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1491,3 +1563,41 @@ +@@ -1491,3 +1563,59 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -26745,6 +26880,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + + rw_files_pattern($1, auth_cache_t, auth_cache_t) +') ++######################################## ++## ++## Manage authentication cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`auth_manage_cache',` ++ gen_require(` ++ type auth_cache_t; ++ ') ++ ++ manage_files_pattern($1, auth_cache_t, auth_cache_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-04-04 12:06:56.000000000 -0400 @@ -28484,7 +28637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.3.1/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-06 06:44:20.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-14 14:21:10.000000000 -0400 @@ -489,3 +489,44 @@ manage_lnk_files_pattern($1,locale_t,locale_t) ') @@ -30167,7 +30320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-04-14 13:29:50.000000000 -0400 @@ -2,15 +2,16 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -30527,7 +30680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-14 15:20:35.000000000 -0400 @@ -6,35 +6,67 @@ # Declarations # @@ -30696,28 +30849,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,14 +187,6 @@ +@@ -134,82 +187,92 @@ ') optional_policy(` - mono_domtrans(unconfined_t) --') -- --optional_policy(` ++ oddjob_domtrans_mkhomedir(unconfined_t) + ') + + optional_policy(` - mta_per_role_template(unconfined, unconfined_t, unconfined_r) --') -- --optional_policy(` - oddjob_domtrans_mkhomedir(unconfined_t) ++ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') -@@ -154,62 +199,76 @@ + optional_policy(` +- oddjob_domtrans_mkhomedir(unconfined_t) ++ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -- # cjp: this should probably be removed: -- postfix_domtrans_master(unconfined_t) +- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + tunable_policy(`allow_unconfined_qemu_transition', ` + qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ', ` @@ -30727,13 +30878,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + qemu_unconfined_role(unconfined_r) ') -+optional_policy(` + optional_policy(` +- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) + rpm_role_transition(unconfined_r) -+') + ') + + optional_policy(` +- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +- # cjp: this should probably be removed: +- postfix_domtrans_master(unconfined_t) ++ cron_per_role_template(unconfined, unconfined_t, unconfined_r) + ') +- optional_policy(` - pyzor_per_role_template(unconfined) + samba_per_role_template(unconfined) @@ -30807,7 +30967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +278,34 @@ +@@ -219,14 +282,35 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -30847,6 +31007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) +# Allow SELinux aware applications to request rpm_script execution +rpm_transition_script(unconfined_notrans_t) ++domain_ptrace_all_domains(unconfined_notrans_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.3.1/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-04-04 12:06:56.000000000 -0400 @@ -30862,7 +31023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-08 14:33:30.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-14 12:32:35.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -31825,8 +31986,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) -+ -+ optional_policy(` + + optional_policy(` +- loadkeys_run($1_t,$1_r,$1_tty_device_t) + dbus_per_role_template($1, $1_usertype, $1_r) + dbus_system_bus_client_template($1, $1_usertype) + @@ -31836,12 +31998,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + optional_policy(` + cups_dbus_chat($1_usertype) + ') -+ ') - - optional_policy(` - loadkeys_run($1_t,$1_r,$1_tty_device_t) ') + ++ optional_policy(` ++ loadkeys_run($1_t,$1_r,$1_tty_device_t) ++ ') ++ ') ####################################### @@ -31948,22 +32110,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1193,12 +1205,11 @@ +@@ -1193,12 +1205,15 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ hal_dbus_chat($1_t) ++ cron_per_role_template($1, $1_t, $1_r) ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1218,27 @@ +@@ -1207,7 +1222,27 @@ ') optional_policy(` @@ -31992,7 +32158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1315,6 @@ +@@ -1284,8 +1319,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -32001,7 +32167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1336,6 @@ +@@ -1307,8 +1340,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -32010,7 +32176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,13 +1390,6 @@ +@@ -1363,13 +1394,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -32024,7 +32190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1442,7 @@ +@@ -1422,6 +1446,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -32032,7 +32198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1808,14 @@ +@@ -1787,10 +1812,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -32048,7 +32214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1911,11 @@ +@@ -1886,11 +1915,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -32062,7 +32228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1945,11 @@ +@@ -1920,11 +1949,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -32076,7 +32242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1993,12 @@ +@@ -1968,12 +1997,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -32092,7 +32258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2028,11 @@ +@@ -2003,10 +2032,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -32106,7 +32272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2064,47 @@ +@@ -2038,11 +2068,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -32156,7 +32322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2136,10 @@ +@@ -2074,10 +2140,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -32169,7 +32335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2169,11 @@ +@@ -2107,11 +2173,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -32183,7 +32349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2203,11 @@ +@@ -2141,11 +2207,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -32198,7 +32364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2237,14 @@ +@@ -2175,10 +2241,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -32215,7 +32381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2274,11 @@ +@@ -2208,11 +2278,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -32229,7 +32395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2308,11 @@ +@@ -2242,11 +2312,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -32243,7 +32409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2342,10 @@ +@@ -2276,10 +2346,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -32256,7 +32422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2377,12 @@ +@@ -2311,12 +2381,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -32272,7 +32438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2414,10 @@ +@@ -2348,10 +2418,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -32285,7 +32451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2449,12 @@ +@@ -2383,12 +2453,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -32301,7 +32467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2486,12 @@ +@@ -2420,12 +2490,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -32317,7 +32483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2523,12 @@ +@@ -2457,12 +2527,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -32333,7 +32499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2573,11 @@ +@@ -2507,11 +2577,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -32347,7 +32513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2622,11 @@ +@@ -2556,11 +2626,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -32361,7 +32527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2666,11 @@ +@@ -2600,11 +2670,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -32375,7 +32541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2700,11 @@ +@@ -2634,11 +2704,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -32389,7 +32555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2734,11 @@ +@@ -2668,11 +2738,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -32403,7 +32569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2770,10 @@ +@@ -2704,10 +2774,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -32416,7 +32582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2805,10 @@ +@@ -2739,10 +2809,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -32429,7 +32595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2838,12 @@ +@@ -2772,12 +2842,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -32445,7 +32611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2875,10 @@ +@@ -2809,10 +2879,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -32458,7 +32624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2910,48 @@ +@@ -2844,10 +2914,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -32509,7 +32675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2981,12 @@ +@@ -2877,12 +2985,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -32525,7 +32691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3018,10 @@ +@@ -2914,10 +3022,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -32538,7 +32704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3053,12 @@ +@@ -2949,12 +3057,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -32554,7 +32720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3090,11 @@ +@@ -2986,11 +3094,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -32568,7 +32734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3126,11 @@ +@@ -3022,11 +3130,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -32582,7 +32748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3162,11 @@ +@@ -3058,11 +3166,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -32596,7 +32762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3198,11 @@ +@@ -3094,11 +3202,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -32610,7 +32776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3234,11 @@ +@@ -3130,11 +3238,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -32624,7 +32790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3283,10 @@ +@@ -3179,10 +3287,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -32637,7 +32803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3327,10 @@ +@@ -3223,10 +3331,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -32650,7 +32816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,24 +3358,24 @@ +@@ -3254,24 +3362,24 @@ ## ## # @@ -32679,7 +32845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3290,23 +3394,24 @@ +@@ -3290,23 +3398,24 @@ ## ## # @@ -32711,7 +32877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3321,25 +3426,28 @@ +@@ -3321,25 +3430,96 @@ ## ## ##

@@ -32743,33 +32909,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

-## Read user untrusted files. +## List users untrusted directories. - ##

- ##

- ## This is a templated interface, and should only -@@ -3358,18 +3466,86 @@ - ##

- ## - # --template(`userdom_read_user_untrusted_content_files',` -+template(`userdom_list_user_untrusted_content',` - gen_require(` - type $1_untrusted_content_t; - ') - - allow $2 $1_untrusted_content_t:dir list_dir_perms; -- read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t) - ') - - ######################################## - ## --## Manage user untrusted files. -+## Do not audit attempts to list user -+## untrusted directories. -+## -+## -+##

-+## Do not audit attempts to read user -+## untrusted directories. +##

+##

+## This is a templated interface, and should only @@ -32784,25 +32923,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +##

-+## Domain to not audit. ++## Domain allowed access. +## +## +# -+template(`userdom_dontaudit_list_user_untrusted_content',` ++template(`userdom_list_user_untrusted_content',` + gen_require(` + type $1_untrusted_content_t; + ') + -+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; ++ allow $2 $1_untrusted_content_t:dir list_dir_perms; +') + +######################################## +## -+## Read user untrusted files. ++## Do not audit attempts to list user ++## untrusted directories. +## +## +##

-+## Read user untrusted files. ++## Do not audit attempts to read user ++## untrusted directories. +##

+##

+## This is a templated interface, and should only @@ -32817,26 +32958,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +##

-+## Domain allowed access. ++## Domain to not audit. +## +## +# -+template(`userdom_read_user_untrusted_content_files',` ++template(`userdom_dontaudit_list_user_untrusted_content',` + gen_require(` + type $1_untrusted_content_t; + ') + -+ allow $2 $1_untrusted_content_t:dir list_dir_perms; -+ read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t) ++ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; +') + +######################################## +## -+## Manage user untrusted files. - ## - ## - ##

-@@ -4231,11 +4407,11 @@ ++## Read user untrusted files. ++## ++## ++##

++## Read user untrusted files. + ##

+ ##

+ ## This is a templated interface, and should only +@@ -4231,11 +4411,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -32850,7 +32994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4427,10 @@ +@@ -4251,10 +4431,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -32863,7 +33007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4446,11 @@ +@@ -4270,11 +4450,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -32877,7 +33021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4465,16 @@ +@@ -4289,16 +4469,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -32897,7 +33041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4483,27 @@ +@@ -4307,12 +4487,27 @@ ## ## # @@ -32928,7 +33072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4518,13 @@ +@@ -4327,13 +4522,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -32946,7 +33090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4722,10 @@ +@@ -4531,10 +4726,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -32959,7 +33103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4742,10 @@ +@@ -4551,10 +4746,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -32972,7 +33116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4760,10 @@ +@@ -4569,10 +4764,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -32985,7 +33129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4779,10 @@ +@@ -4588,10 +4783,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -32998,7 +33142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4797,10 @@ +@@ -4606,10 +4801,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -33011,7 +33155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4816,10 @@ +@@ -4625,10 +4820,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -33024,7 +33168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4835,11 @@ +@@ -4644,12 +4839,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -33040,7 +33184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4866,10 @@ +@@ -4676,10 +4870,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -33053,7 +33197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4884,10 @@ +@@ -4694,10 +4888,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -33066,7 +33210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4902,13 @@ +@@ -4712,13 +4906,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -33084,7 +33228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4944,49 @@ +@@ -4754,11 +4948,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -33135,7 +33279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +5006,14 @@ +@@ -4778,6 +5010,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -33150,7 +33294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5075,26 @@ +@@ -4839,6 +5079,26 @@ ######################################## ##

@@ -33177,7 +33321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5115,25 @@ +@@ -4859,6 +5119,25 @@ ######################################## ## @@ -33203,7 +33347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5154,26 @@ +@@ -4879,6 +5158,26 @@ ######################################## ## @@ -33230,7 +33374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5410,7 @@ +@@ -5115,7 +5414,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -33239,7 +33383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5599,50 @@ +@@ -5304,6 +5603,50 @@ ######################################## ## @@ -33290,7 +33434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +5848,42 @@ +@@ -5509,6 +5852,42 @@ ######################################## ## @@ -33333,7 +33477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5559,7 +5934,7 @@ +@@ -5559,7 +5938,7 @@ attribute userdomain; ') @@ -33342,7 +33486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -5674,7 +6049,7 @@ +@@ -5674,7 +6053,7 @@ ######################################## ## @@ -33351,7 +33495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5682,18 +6057,54 @@ +@@ -5682,18 +6061,17 @@ ## ## # @@ -33370,13 +33514,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## -## Unconfined access to user domains. (Deprecated) +## dontaudit search keys for all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5701,6 +6079,410 @@ + ## + ## + # +-interface(`userdom_unconfined',` +- refpolicywarn(`$0($*) has been deprecated.') +interface(`userdom_dontaudit_search_all_users_keys',` + gen_require(` + attribute userdomain; @@ -33407,13 +33553,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +######################################## +## +## Unconfined access to user domains. (Deprecated) - ## - ## - ## -@@ -5704,3 +6115,370 @@ - interface(`userdom_unconfined',` - refpolicywarn(`$0($*) has been deprecated.') - ') ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_unconfined',` ++ refpolicywarn(`$0($*) has been deprecated.') ++') + +######################################## +## @@ -33778,7 +33927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + ') -+') + ') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te @@ -35283,47 +35432,3 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular ---- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/Rules.modular 2008-04-04 12:06:56.000000000 -0400 -@@ -73,8 +73,8 @@ - $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" - @test -d $(tmpdir) || mkdir -p $(tmpdir) -- $(call perrole-expansion,$(basename $(@F)),$@.role) -- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) -+# $(call perrole-expansion,$(basename $(@F)),$@.role) -+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - - $(tmpdir)/%.mod.fc: $(m4support) %.fc -@@ -129,7 +129,7 @@ - @test -d $(tmpdir) || mkdir -p $(tmpdir) - # define all available object classes - $(verbose) $(genperm) $(avs) $(secclass) > $@ -- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) -+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) - $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true - - $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy -@@ -147,7 +147,7 @@ - $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/rolemap.conf: $(rolemap) - $(verbose) echo "" > $@ -- $(call parse-rolemap,base,$@) -+# $(call parse-rolemap,base,$@) - - $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic ---- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 -+++ serefpolicy-3.3.1/Rules.monolithic 2008-04-04 12:06:56.000000000 -0400 -@@ -96,7 +96,7 @@ - # - # Load the binary policy - # --reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) -+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) - @echo "Loading $(NAME) $(loadpath)" - $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load diff --git a/selinux-policy.spec b/selinux-policy.spec index e3744a7..b0b21db 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 34%{?dist} +Release: 35%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -383,7 +383,7 @@ exit 0 %endif %changelog -* Thu Apr 10 2008 Dan Walsh 3.3.1-34 +* Mon Apr 14 2008 Dan Walsh 3.3.1-35 * Thu Apr 10 2008 Dan Walsh 3.3.1-33 - Allow dhcpd to read kernel network state